OpenID Connect Fails with Keycloak #1755
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#1755
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I'm attempting to sign in using OpenID Connect to a local Keycloak instance. I get a redirect back to the login on the Vikunja frontend, with Keycloak logging an error that the scopes requested are invalid.
I think some digging into it suggests that Vikunja makes a request using a blank scopes parameter, which current versions of Keycloak reject. I think that other providers are laxer about it, but technically the standard says to reject such requests, if I've understood the issue correctly.
What are the exact error messages from keycloak and Vikunja (from the network tab)?
As far as I can tell from the network tab, when I click "Log In With Keycloak", the request goes out to
https://keycloak.example.com/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<id>&redirect_uri=https://vikunja.example.com/keycloak&response_type=code&scope=&state=whatever
.Keycloak responds to this with a 302, redirecting to
https://vikunja.example.com/keycloak?error=invalid_request&error_description=Invalid+scopes%3A+&state=whatever
.I don't see any additional logging, and it seems like vikunja redirects this back to the login page. Since Vikunja receives the response and handles the rewrite, everything after that is a 200, which makes sense. The URL that vikunja reaches is the correct auth url from Keycloak's well-known configuration.
Keycloak logs
Here's a link to a similar issue in Dokuwiki: https://github.com/cosmocode/dokuwiki-plugin-oauth/issues/89.
The behaviour in Keycloak to error on no scopes is new to version 10.
I can confirm that changing the request to include
&scope=openid
avoids the invalid scopes error, but I don't have enough time at the moment to fully test out a PR. Hopefully that helps, let me know if any other info would be useful!I've added the
openid
scope inffde50453a
- could you check the latest build to see if that fixed it?Cheers that seems to have done it (using the latest docker image).
After getting the config set up (I didn't have
service.frontendurl
set and instead hadauth.openid.redirecturl
set tohttps://vikunja.example.com/
), it looks like it works quite smoothly. I blame that misreading of the config example on myself, because immediately above is the line about needing to be redirected tohttps://vikunja.example.com/auth/openid/<key>
, which is why that failed.Glad it works now!